Process control system with integrated safety control system

1. A method for receiving input signals from manufacturing equipment and executing machine operation code determining at least one output signal adjusting at least one respective control device in said manufacturing equipment, comprising the steps of: converting an application program instance into said machine operation code, said application program instance having at least two process unit step objects; executing said machine operation code in a first control computer; executing said machine operation code in a second control computer; defining a first proposed process unit step in said first control computer to modify the active process unit step from a current process unit step to a new process unit step; defining a second proposed process unit step in said second control computer to modify the active process unit step from the current process unit step to a new process unit step; bilaterally transmitting said first and second proposed process unit steps between said first control computer and said second control computer so that each control computer contains both proposed process unit steps; arbitrating said first and second proposed process unit steps in said first control computer to define a next process unit step; arbitrating said first and second proposed process unit steps in said second control computer to define a next process unit step; and effecting in each control computer the next process unit step as the new current process unit step.

2. The method of claim 1 wherein said converting step uses a compiling translator having an embedded safety integrity programming rule set and wherein said safety integrity programming rule set provides adjoinder between said control computer, procedures and structures in said machine operation code, and safety integrity requirements, said method further comprising the steps of: executing said machine operation code in a first control computer having a primary memory and a shadow memory wherein said first control computer reads said input signals and determines a first process control signal from first arbitrated input values; executing said machine operation code in a second control computer having a primary memory and a shadow memory wherein said second control computer reads said input signals and determines a second process control signal from second arbitrated input values; bilaterally transmitting said input signals between said first control computer and said second control computer; determining said first arbitrated input values in said first control computer from the input signals transmitted from said second control computer and the input signals read by said first control computer; determining said second arbitrated input values in said second control computer from the input signals transmitted from said first control computer and the input signals read by said second control computer; and coupling together to said control device the first process control signal and the second process control signal into one said output signal.

3. The method of claim 2 wherein said compiling translator compiles a Boolean operator type and a safety-domain Boolean operator type in said converting step.

4. A control computer receiving input signals from manufacturing equipment and executing machine operation code determining at least one output signal adjusting at least one respective control device in said manufacturing equipment, comprising: means for evaluating real-time competence of said control computer to execute said machine operation code in essentially full accordance with said control computer as designed; and means for halting execution of said machine operation code when said real-time competence is unacceptable; wherein said machine operation code is compiled from an application program instance by a compiling translator, wherein said application program instance has at least one safety integrity programming source code section and at least one general control source code section, wherein said control computer has a program memory section of memory for holding a portion of said machine operation code which is non-variant in real-time, and wherein said compiling translator further has a safety integrity programming rule set providing adjoinder between said control computer, procedures and structures in said machine operation code, and safety integrity requirements; means for interpreting a function type statement of said application program instance into a first list of input and output signals respective to said safety integrity programming section; means for defining a compiling translator signature data value characterizing said machine operation code for said program memory section; means for defining, independent of said function type statement, a second list of input and output signals in said application program instance respective to said safety integrity programming section; means for comparing the values in said first list and the values in said second list; and means for suppressing the generation of said machine operation code if said first list and said second list are different in the values that they contain; and said control computer further comprises: means for defining a real-time signature data value characterizing said machine operation code in said program memory section; means for comparing said real-time signature data value to said compiling translator signature data value; and means for halting real-time execution of said machine operation code when said compiling translator signature data value and said real-time signature data value are different in value.

5. A control computer receiving input signals from manufacturing equipment and executing machine operation code determining at least one output signal adjusting at least one respective control device in said manufacturing equipment, comprising: means for evaluating real-time competence of said control computer to execute said machine operation code in essentially full accordance with said control computer as designed; and means for halting execution of said machine operation code when said real-time competence is unacceptable; wherein said machine-operation code is compiled from an application program instance by a compiling translator, said compiling translator having: a safety integrity programming rule set providing adjoinder between said control computer, procedures and structures in said machine operation code, and safety integrity requirements; means for compiling a first process unit step data object in dependence upon said safety integrity programming rule set; and means for compiling a second process unit step data object independently of said safety integrity programming rule set; further comprising: a primary memory and a shadow memory; means for comparing data values in said primary memory and respective data values in said shadow memory; and means for halting said control computer when said data values in said primary memory and said respective data values in said shadow memory are different.

6. A method for receiving input signals from manufacturing equipment and executing machine operation code determining at least one output signal adjusting at least one respective control device in said manufacturing equipment, comprising the steps of: evaluating real-time competence of said control computer for executing said machine operation code in essentially full accordance with the design of said control computer; and discontinuing said output signal when said real-time competence is unacceptable; further comprising the steps of: providing a primary memory in said control computer; providing a shadow memory in said control computer; comparing data values in said primary memory and respective data values in said shadow memory when read-accessed in real-time; and halting said control computer when said data values in said primary memory and said respective data values in said shadow memory are determined by said comparing step to be different.

7. A method for receiving input signals from manufacturing equipment and executing machine operation code determining at least one output signal adjusting at least one respective control device in said manufacturing equipment, comprising the steps of: generating said machine operation code with a compiling translator using a safety-domain rule set and a standard operations rule set; and loading said machine operation code into a control computer for execution in determining said output signals; wherein said compiling translator compiles an application program instance into machine operation code in said machine operation code generating step, said application program instance has a safety integrity programming section, and said method further comprises the steps of: interpreting, in said compiling translator, a function type statement of said application program instance into a first list of input and output signals respective to a safety integrity programming rule set in said compiling translator for providing adjoinder between said control computer, procedures and structures in said machine operation code, and safety integrity requirements; defining, in said compiling translator, independent of said function type statement, a second list of input and output signals in said application program instance respective to said safety integrity programming section; comparing, in said compiling translator, the values in said first list and the values in said second list; and suppressing, in said compiling translator, the generation of said machine operation code if said first list and said second list are different in the values they contain.

8. A method for receiving input signals from manufacturing equipment and executing machine operation code determining at least one output signal adjusting at least one respective control device in said manufacturing equipment, comprising the steps of: generating said machine operation code with a compiling translator using a safety-domain rule set and a standard operations rule set; and loading said machine operation code into a control computer for execution in determining said output signals; wherein said compiling translator converts an application program instance into said machine operation code in said machine operation code generating step, wherein said application program instance has a safety integrity programming section, and wherein said safety-domain rule set provides adjoinder between said control computer, procedures and structures in said machine operation code, and safety integrity requirements, said method further comprising the steps of: providing a data memory and a program memory in said control computer; interpreting, in said compiling translator, a function type statement of said application program instance into a first list of input and output signals respective to said safety integrity programming compiling translator section; defining, in said compiling translator, a compiling translator signature data value characterizing said machine operation code in said program memory; defining, in said compiling translator and independent of said function type statement, a second list of input and output signals in said application program instance respective to said safety integrity programming compiling translator section; comparing, in said compiling translator, the values in said first list and the values in said second list; suppressing, in said compiling translator, the generation of said machine operation code if said first list and said second list are different in the values they contain; defining, in said control computer, a real-time signature data value characterizing said machine operation code in said program memory and for comparing said real-time signature data value to said compiling translator signature data value; and halting, in said control computer, real-time execution of said machine operation code when said compiling translator signature data value and said real-time signature data value are different in value.